Has this ever happened to you?
If you are reading this, I am guessing it has. Oh, the horror! Remember when your boss called you into his office and showed you this page? Remember the shame? So you turned autoindex off;
and went back to your desk with a smug face. That was easy. But alas, your plans for world domination were still available to the world at http://yoursite.com/static/plans_for_world_domination.doc . You hung your head in shame, resigned to serve your static content from your wsgi server.
Look up my friend, this post is for you! You can keep your plans for world domination safe and still serve them at blazing fast speeds with a little Nginx trick called X-Accel-Redirect. What this does is allows Nginx to serve files when requested to do so by your application. All you application needs to is add an "X-Accel-Redirect" header to the response. I am assuming that you are using Nginx as a reverse proxy for your wsgi server. If you are not, then you should! Lets looks at the configuration.
First, open up your nginx config in your favourite text editor(vim). You can typically locate it in /etc/nginx/sites-enabled/. Add the following config lines to it.
###Nginx Config
//url you would like to serve the files from
location ~ ^/protected-dir/ {
alias /path/to/password-protected/dir/; //path to the directory containing the protected files
internal; //this prevents clients from directly accessing this URI
}
This is a sample view that you can use for using X-Accel-Redirect. The important part to be noted is the "X-Accel-Redirect" header in the response. It should be a valid URI pointing to the file to be served relative to the directory aliased in the Nginx config.
###views.py
#ensures that only authorised people can access the files
@login_required
def protected_view(request):
response = HttpResponse()
response['Content-Type'] = 'application/pdf'
response['Content-Disposition'] = 'attachment; filename=%s.pdf' % (pdf_name, )
response['X-Accel-Redirect'] = '/protected-dir/%s' % (relative_filepath, )
return response
And thats it! You can share your plans for world domination only within your cult. Or serve sensitive customer information with authorisation.
In general, it is a good idea to serve your static files from a server like Nginx, which excels at it rather than burden your application server with it. X-Accel-Redirect allows you to use the power of Nginx while maintaining authorisation requirements. You can read up more about this at http://wiki.nginx.org/XSendfile and http://wiki.nginx.org/X-accel . Also this is a good guide for managing your static files in Django https://docs.djangoproject.com/en/dev/howto/static-files/ .